cleantalk
Vulnerabilities and Security Researches

Anomify AI – Anomaly Detection and Alerting, CVE-2026-6404

CVE, Research URL

CVE-2026-6404

Home page URL

Security reports for Anomify AI – Anomaly Detection and Alerting

Application

Anomify AI – Anomaly Detection and Alerting

Published on
May 20, 2026
Research Description
The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'anomify_api_key' parameter in versions up to and including 0.3.6. This is due to insufficient input sanitization and missing output escaping: the plugin applies sanitize_text_field() to the Metric Data Key input before saving it via update_option(), but sanitize_text_field() strips HTML tags without encoding double-quote characters, and the value is then echoed directly into an HTML attribute context (value="...") without esc_attr(). This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts that execute whenever a user visits the plugin's settings page.
Affected versions
max 0.3.6.
Status
vulnerable
Previous vulnerability researches
BLOGCHAT Chat System (CVE-2026-8420) , May 23, 2026
New vulnerability
Logo Manager For Enamad (CVE-2026-6549) , May 23, 2026
Sentence To SEO (keywords, description and tags) (CVE-2026-6391) , May 23, 2026
Oliver POS – A WooCommerce Point of Sale (POS) (CVE-2026-6072) , May 23, 2026
Amazon Scraper (CVE-2026-8419) , May 23, 2026
WPB Floating Menu or Categories – Sticky Floating Side Menu & Categories with Icons (CVE-2026-4811) , May 23, 2026